Fuzzing HTTP Server (PDF.js)

Hi Internet

Summary: While fuzzing Mozilla PDF.js a format string vulnerability it was observed that the development server used in PDF.js gets crash when a malformed URI(bad request) is sent.

PS: The patch for the path traversal bug which was found perviously gave rise to this issue.

I have used boofuzz in the case to fuzz PDF.js, boofuzz is a fork of and the successor to the venerable sulley fuzzing framework, for installation you can simply use pip.

pip install boofuzz

Then,

session = Session(
    target=Target(
        connection=SocketConnection("127.0.0.1", 8888, proto='tcp')))

In boofuzz each message starts with an s_initialize()

s_initialize(name="Request")
    with s_block("Request-Line"):
        s_group("Method", ['GET'])
        s_string("/", name='Request-URI')
        s_string('HTTP/1.1', name='HTTP-Version')

Vulnerable code in PDF.js (webserver.js):

  _handler: function (req, res) {
     var url = req.url.replace(/\/\//g, '/');
     var urlParts = /([^?]*)((?:\?(.*))?)/.exec(url);
     // guard against directory traversal attacks,
     // e.g. /../../../../../../../etc/passwd
     // which let you make GET requests for files outside of this.root
     var pathPart = path.normalize(decodeURI(urlParts[1]));

If you see the bold part of the above code the PDF.js did not have any guard for malformed URI sent in various methods.

However, the fuzzer ran for an hour and it was observed that the HTTP server of PDF.js can't handle malformed strings and server gets crash. While fuzzing with boofuzz its better to start Wireshark on 'lo' to see all the fuzzed request which are sent to the server. I found /%s%s%s was used in this case.

curl -v -X GET 127.0.0.1:8888/%s%s%s

The PDF.js server gets crash and below traces are left.

Server running at http://localhost:8888/
[12:16:22] 'server' errored after 1.01 h
[12:16:22] URIError: URI malformed
at decodeURI ()
at WebServer._handler (/Users/Dhiraj/Desktop/pdf.js/test/webserver.js:86:35)
at Server.emit (events.js:188:13)
at Server.EventEmitter.emit (domain.js:459:23)
at parserOnIncoming (_http_server.js:676:12)
at HTTPParser.parserOnHeadersComplete (_http_common.js:113:17)

However, the bug was submitted to Mozilla and a patch was deployed for same.

Patch code in PDF.js (webserver.js):

    try {
       // Guard against directory traversal attacks such as
       // `/../../../../../../../etc/passwd`, which let you make GET requests
       // for files outside of `this.root`.
       var pathPart = path.normalize(decodeURI(urlParts[1]));
     } catch (ex) {
       // If the URI cannot be decoded, a `URIError` is thrown. This happens for
       // malformed URIs such as `http://localhost:8888/%s%s` and should be
       // handled as a bad request.
       res.writeHead(400);
       res.end('Bad request', 'utf8');
       return;
     }
     var queryPart = urlParts[3];
     var verbose = this.verbose;

If you are a mozillian and you like my work towards PDF.js, don't hesitate to vouch me :) Hope you like the read.
https://mozillians.org/en-US/u/Dhiraj_Mishra/

Thank you

Dhiraj

Read More

I swiped right

Hi Internet,

Summary: By using multi-gesture trackpad along with Safari browser in MacBook Pro, one can view sensitive data which is cached in your Safari browser. (Note: This is not a back button browsing vulnerability)

I figured out this issue while playing around with Safari browser, looks like the most recent activity of any authenticated or un-authenticated website is stored in cache of Safari browser and by taking the advantage of multi-gesture trackpad we can retrieve any or all information about that activity.

Looks like Apple provides a feature in trackpad which allows users to swipe between the pages or applications. It also allows you to tap, swipe, pinch, or spread one or more fingers to perform useful actions but seems they forgot to add some security measures in this.

Trackpad settings

Steps to reproduce:
1. Open safari browser (v12.0.2 (14606.3.4) was used in this case)
2. Login to any dynamic website (I've used www.gmail.com)
3. Perform your dynamic activity
4. Logout (But don't close your safari browser)
5. Now swipe right

You would actually see your recent data, between the pages. I've also created a video proof-of-concept for same.

Apple says: After reviewing your report we do not see any actual security implications. (I think this was the lamest vendor response).



But, I feel like this is an interesting issue which can be exploited by local attacker. Also this only works with safari browser. I hope you like the read.

Thank you

Dhiraj

Read More

Metadata and potential password leak in aria2

Hi Internet,

Summary: aria2 is a lightweight multi-protocol command-line utility, which store's "HTTP Basic Authentication" username and password in a file when `--log` attribute is used.

This issue was observed while performing the code review of aria2, However the file HttpConnection.cc was responsible for this issue, below is the vulnerable code :

1. It was observed that URL's which gets downloaded via `--log=` attribute stored sensitive information.
2. In combination with HTTP authentication a username and password can be part of the URL.
    `aria2c --log=file https://user:passwd@example.com/`

In such case the log file contains password as well, sometimes URL's may contain secret tokens, e.g. private file shared on a file hosting service. In general storing metadata at unexpected places should be avoided, rest other utility like cURL was patched to this issue, it uses HTTP digest authentication mechanism for such case.

Moving further this issue was patched and such information will be masked in latest versions of aria2. This is also similar to when URL of downloads gets stored via filesystem attributes on systems that support unix extended attributes. You can see these attributes on Linux systems by running getfattr -d [filename]

Later CVE-2019-3500 was assigned to this issue, hope you like the read.

Thank you

Dhiraj

Read More